On Thu, Jun 17, 2004 at 04:09:49PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> 2.- Besides the kernel changes, Adamantix recompiles the distribution with
> a GCC patch that should limit buffer overflows, this one is called SPP
> (formerly known as ProPolice). Steven Kemp is currently testing its impact
> (see http://shellcode.org/Cat/). Gcc 3.3 does not yet include the patch per
> default since it has not been sufficiently tested on non-i386 archs AFAIK
> (see #233208 and #213994 for more information) There have been a number of
> discussions at -devel regarding this patch (browse the archives)
I've recently (less than two days ago) updated my SSP enabled
compiler for unstable, this is described in the link above, and
can be downloaded with the following sources list:
#
# SSP / ProPolice GCC and supporting packages.
#
# Raw Index
#
deb http://people.debian.org/~skx/apt/unstable ./
deb-src http://people.debian.org/~skx/apt/unstable ./
> 2.- the pre-compiled packages are not available currently in Debian, but
> you can re-compile them yourself. Debian might provide, in the future, a
> i386 'flavor' that is compiled with SPP. However, this will be a different
> "architecture" (just like i386 is different from sparc) and that means
> there is a need for mirror space and porters.
I think there's little value in using another "arch" to seperate this
stuff if the intention is to increase the security of Debian machines.
If there are drawbacks to using it for x86 these should be discovered
and fixed, so that all intel users can benefit.
> So, even though all those features are currently easier to be found on
> Adamantix (after all it's a very feature-specific distribution) they will
> be available in Debian, fully supported and maybe even within the default
> installation, sometime in the future.
There don't seem to be too many people interested in this kind of
thing, although SELinux is gaining momentum at least.
Unless there is more testing and discussion the situation isn't likely
to change soon.
> How can you speed it up? Help get more testing/documentation done for the
> Adamantix-specific things and help make this new 'i386-spp' flavor
> available by testing both the SPP patches and packages compiled with SPP
> enabled.
I can help with the later, rebuilding packages is usually fairly
trivial, and minimal testing is straightforward it's the distributing
that I cannot manage alone. (I can't build the packages on Debian
machines because I lack the ability to upload new GCCs into the
build environment or that would solve my problems).
If there is demand I can share small packages, apache, bind, ssh etc
with people but nowhere near a full mirror of unstable.
> Notice that Adamantix's FAQ is not correct in some of the points they make
> (see http://www.adamantix.org/faq.html). You can submit bugs to Debian's
> BTS if they are related to any of the above.
Yes.
> > Futher information is provided at [1]http://www.trusteddebian.org/
>
> That link is not correct, and might be deprecated in the future, use
> www.adamantix.org
It's already depreciated due to the trademark issues, this is why
the name was changed to Adamantix.
Steve
--